Are you protected from the Heartbleed bug? 6 questions to ask

By now, you have likely heard about the Heartbleed computer bug that is causing a big headache for organizations and individuals around the world. If you don’t have the time to read up extensively about this the next paragraph is really all you need to know:

If you do one thing to address the Heartbleed bug, make sure it is to change all your passwords today. Use a collection of words or letters, symbols and characters for your new passwords and try to make each one slightly different. Get into the habit of changing your passwords on a regular basis.

1) What is the Heartbleed bug?

Heartbleed is a security flaw that exploits an important piece of technology called OpenSSL, one of the most popular security protocols that protects the majority of websites storing and transmitting sensitive data such as banking information, passwords, and credit card numbers over the Internet. The flaw that was discovered in OpenSSL makes it possible that sensitive and otherwise secure information could have been exposed to anyone via an exploit of the bug. It allows malicious users the ability to grab small, random ‘snippets’ of data that could include sensitive personal and financial information and was assumed to have been stored securely otherwise stored securely and view it.

2) How do I check if the Heartbleed bug affects me?

According to security experts, approximately 500,000 websites worldwide were impacted by this bug. In all likelihood, you should assume you have been affected through one or more websites and take necessary precautions. Most bank websites do not use the security protocol, OpenSSL and are not likely affected (although you should check with your financial institution). Several popular technology websites have compiled lists of the most popular sites verifying if the Heartbleed bug has been patched along with follow-up actions for their customers. These two lists are here and here.

3) Which passwords should I change?

In a single word: ALL. You may ask, “Why should I bother to change my password if a site has not been breached”. The Heartbleed incident is a wake up call. It is an opportunity to create your own secure password policy and have a schedule to change all passwords periodically. If you are concerned about remembering them all, there are helpful tools available. Consider a password manager that remembers all your passwords for all accounts. With a password manager you only need to remember one “hard to break” master password that provides access to all of your passwords for any site. Five popular password managers evaluated in a recent USA Today article include LastPass, Dashlane, 1Password, Keeper and PasswordBox.

4) What is a good password policy?

Steer clear of short and obvious passwords, especially those that appear on SplashData’s list of “Worst Passwords of 2013”. The best password policy is one that is easy for you to remember but hard for someone else or a computer to guess. There are different naming conventions. Use an approach that works for you. A good option is to choose a combination of upper and lowercase letters, numbers and symbols. One of the headaches can be that each website has different password requirements.

Another, more secure approach to selecting a strong password is to make it a long sentence. For example, “mary had a little lamb” (ideally with the spaces if the site allows it) is more secure than a password with mixed characters like “mary4lamb”. The rule of thumb is that the longer the password, the more secure it is. Longer passwords are only easy to remember when the collection of words makes sense. An example of a longer password that is hard to guess is illustrated in xkcd, an online comic. Instead of using the title of a nursery rhyme, consider changing the order. For example, the password strength of “lamb mary had a little” is more secure and easier to guess than the original title.

Since the best password policy includes a slight password variation for each site, you should add a number or letter to each password that is unique to the site you are logging into. One method is to include the first or last letter of the site to the password (ie. for facebook: “lamb mary had f little” – where we are swapping the “a” for “f” for Facebook), while the other is a number (ie. Facebook has 8 letters, so an easy to associate password would be “lamb mary had a little 8”). It’s important to use a slightly different password for each site to protect yourself in the event that someone discovers one of your passwords.

5) What if a site limits the number of characters (letters/numbers) available for a password?

Some sites restrict password length to no more than 8 or 10 characters. In this case, use a mix of upper case, lower case and numbers or symbols such as “M4ryl4mB” instead of a weak password like “marylamb”

6) How do I protect myself in the future?

Pay attention to websites that offer additional levels of authentication security. Many popular websites now allow you to enter your mobile number if you forget your password. This can be used for “two-factor authentication” – which requires two passwords to access your account. The first password is the normal one you choose ad remember, while the second one is associated with a one-time code that is sent each time to you as a text message or viewable via a mobile app when you attempt to login. In order to login, you must enter both the regular password and the one-time text or mobile app code received on your phone. The code sent as a text message on your mobile device may be required each time you login to the website or anytime you attempt to login from a different computer or device.

Finally, never share a password via email. It is the equivalent of leaving it visible on a sticky post it note on your computer monitor. Email is insecure by design, allowing anyone to read or store it as it passes through various servers on the Internet. If you need to share a password with someone, do it verbally by phone or if absolutely necessary, send it as a text message without any context such as login information or the website info it is associated with.

Final Thoughts

Security threats are a fact of life, now that the Internet has become an essential part of most people’s lives from email, to banking, to shopping to conversations on social networking sites. The bottom line is that as long as passwords are required, the best thing you can do to protect yourself is to use a secure password with a slight variation for each site. Remember to change your passwords on a regular basis.